当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062184

漏洞标题:乐视网员工账号密码泄露导致乐视内部敏感信息泄露

相关厂商:乐视网

漏洞作者:

提交时间:2014-05-26 09:11

修复时间:2014-07-10 09:11

公开时间:2014-07-10 09:11

漏洞类型:后台弱口令

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-26: 细节已通知厂商并且等待厂商处理中
2014-05-26: 厂商已经确认,细节仅向厂商公开
2014-06-05: 细节向核心白帽子及相关领域专家公开
2014-06-15: 细节向普通白帽子公开
2014-06-25: 细节向实习白帽子公开
2014-07-10: 细节向公众公开

简要描述:

:-)机智如我

详细说明:

1.方法详见: WooYun: 乐视某系统后台可暴力破解入内部系统(枚举小技巧) 

目测你们只修改了上述漏洞提供的弱口令帐号,其他地方并无整改
而我上次也说了,其实我字典都还没跑完..治标不治本,有何用处呢..?


2.oa.letv.com 收集办公系统用户:

anlin
anqi
anyang
anyu
bachuan
baijiang
baina
bairong
baisen
baisong
baixia
baiyu
baolei
baonan
bijing
bianxu
bianzhi
bolan
caijun
cailei
caili
cailong
caipei
cangpeng
caohong
caoli
caomin
caoxin
caoyan
caoyang
caoyi
caozhuo
ceshi
cuimeng
cuiyan
cuiyong
chaiyan
changjia
changle
changyuan
chenbo
chencai
chenchen
chencheng
chenda
chendan
chenfeng
chenfu
chengen
chenhao
chenhong
chenjing
chenjun
chenliao
chenlin
chennan
chenpeng
chenqing
chenshi
chenshu
chenwei
chenxiang
chenxie
chenxue
chenyi
chenzhen
chenzhuo
chengbin
chengen
chenggang
chenglin
chengxi
chengyong
chiwei
chuchao
daimeng
daipei
daiwen
dengrui
dengyang
dingran
dingshuo
dingye
dongcheng
dongjuan
dongli
donglu
dufeng
dujuan
dukun
dupeng
duwei
duxin
duyao
fanwei
fangning
fangxin
fangyue
fenghong
fengjing
fengxi
fubin
fuling
fulu
funing
fuqiang
furong
futao
fuxin
fuxuan
fuyao
gaipeng
ganhong
ganlin
ganwen
gaochao
gaofei
gaofeng
gaohao
gaojie
gaokai
gaolei
gaoqi
gaoxu
gaoyi
gaozi
genghua
gengjie
gengwei
gengyin
gonglu
gongmeng
gongqing
gongran
guhan
gujian
guanhui
guanning
guanping
guantao
guantong
guanxiao
guanxu
guanyi
guobin
guojun
guoqiang
guoshuang
guoxu
guoxue
haihong
hanfei
hanjia
hanjie
hanju
hanxiang
hanxiao
hanxu
haofang
haorui
haosen
haoshuo
hechao
hefen
hejing
hejun
hekai
heling
heman
heshan
heyin
heyue
hongjian
hongzhi
houxu
hubin
hubing
hubo
hujia
huming
huyong
huanjun
huangbo
huangdan
huangdi
huanghao
huanghe
huangjie
huangjing
huangke
huanglin
huangpeng
huangqin
huangtao
huangyi
huangyong
huoji
huoyu
jijiang
jirui
jiabao
jiawei
jiangbo
jiangcheng
jiangfeng
jiangli
jiangnan
jiangqi
jiangtao
jiangzhuo
jiaolei
jiaowei
jindan
jinhang
jinhui
jinjin
jinna
jinqi
jinqiao
jinqu
jinxin
kouhui
lanyan
lanyue
leina
lenghan
libing
libo
lican
lice
licong
lichen
licheng
lichuan
lidan
lidi
lidong
ligang
lige
ligen
lihao
lijia
lijin
lijuan
lilei
liliang
lilun
liluo
liman
limeng
liming
limu
lining
lipei
lipeng
liping
liqi
liqiang
lirui
lisha
lishen
lishuai
lishuang
litao
liwei
lixi
lixiao
lixin
lixue
liyang
liyi
liyin
liying
liyu
lizhe
lizhen
lizhu
lizhuo
lianbo
lianna
liangbo
liangfan
liangjing
liangjun
lianglei
liangqian
liangsha
liangyan
liangying
liaojian
liaokai
linrun
lintong
linyang
linyu
linzhe
lingchen
liubo
liucong
liuchang
liuchao
liuchong
liudi
liudou
liufeng
liugang
liuhai
liuheng
liuhong
liujia
liujian
liujiao
liujie
liujing
liukai
liukang
liuke
liulai
liuliang
liumiao
liuming
liuna
liupei
liupeng
liuqian
liuquan
liurong
liusong
liushan
liushu
liushuang
liushun
liushuo
liuting
liutong
liuwang
liuwei
liuxiang
liuxiao
liuxu
liuxuan
liuyan
liuyang
liuying
liuyong
liuyu
liuzhi
longli
longshuang
loushuai
lufeng
luhao
lunan
lushan
luxi
luxu
luyi
lvfeng
lvheng
lvjie
lvlin
lvyi
lvze
lunan
luojian
luojing
luona
mabin
malin
malu
mana
masa
mayue
mazhe
mazhi
mazhou
mana
maodi
maoqi
maowei
meiqing
mengliang
mengmin
mengpeng
mengtian
mengting
mengxin
mengyu
mengzhao
miyang
miaomiao
minting
muyu
niqi
niyan
niejing
nielin
niexin
ningge
niulei
niuting
ousui
panfeng
panhong
panjia
pantao
panyang
pangkun
pengbin
pengcheng
penggang
penghong
penghuan
pengjia
pengqian


3.自动化FUZZ结果:

liangjun:abc123456
hujia:abc123456


4.如果我说..其实这次我字典还是没跑完呢..
好吧,不闹了,赚点rank而已 下次不提oa这里了..

漏洞证明:

1.jpg


2.jpg


QQ图片20140527223108.jpg


楼主我进来了,楼主我又出去了..

修复方案:

WooYun: 乐视某系统后台可暴力破解入内部系统(枚举小技巧)
详见之前提交的漏洞,除了弱口令,同样重要的是用户名需不可枚举

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-26 09:22

厂商回复:

谢谢,修复是需要时间的,我们抓紧~~~~

最新状态:

暂无